| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4649f69d-b7cd-d1a6-26e0-9b8bf3b17df5@gmail.com>
Date: Mon, 15 Mar 2021 18:23:37 +0200
From: Topi Miettinen <toiwoton@...il.com>
To: Uladzislau Rezki <urezki@...il.com>
Cc: linux-hardening@...r.kernel.org, akpm@...ux-foundation.org,
linux-mm@...ck.org, linux-kernel@...r.kernel.org,
Andy Lutomirski <luto@...nel.org>,
Jann Horn <jannh@...gle.com>,
Kees Cook <keescook@...omium.org>,
Linux API <linux-api@...r.kernel.org>,
Matthew Wilcox <willy@...radead.org>,
Mike Rapoport <rppt@...nel.org>
Subject: Re: [PATCH v4] mm/vmalloc: randomize vmalloc() allocations
On 15.3.2021 17.35, Uladzislau Rezki wrote:
>> On 14.3.2021 19.23, Uladzislau Rezki wrote:
>>> Also, using vmaloc test driver i can trigger a kernel BUG:
>>>
>>> <snip>
>>> [ 24.627577] kernel BUG at mm/vmalloc.c:1272!
>>
>> It seems that most tests indeed fail. Perhaps the vmalloc subsystem isn't
>> very robust in face of fragmented virtual memory. What could be done to fix
>> that?
>>
> Your patch is broken in context of checking "vend" when you try to
> allocate next time after first attempt. Passed "vend" is different
> there comparing what is checked later to figure out if an allocation
> failed or not:
>
> <snip>
> if (unlikely(addr == vend))
> goto overflow;
> <snip>
Thanks, I'll fix that.
>
>>
>> In this patch, I could retry __alloc_vmap_area() with the whole region after
>> failure of both [random, vend] and [vstart, random] but I'm not sure that
>> would help much. Worth a try of course.
>>
> There is no need in your second [vstart, random]. If a first bigger range
> has not been successful, the smaller one will never be success anyway. The
> best way to go here is to repeat with real [vsart:vend], if it still fails
> on a real range, then it will not be possible to accomplish an allocation
> request with given parameters.
>
>>
>> By the way, some of the tests in test_vmalloc.c don't check for vmalloc()
>> failure, for example in full_fit_alloc_test().
>>
> Where?
Something like this:
diff --git a/lib/test_vmalloc.c b/lib/test_vmalloc.c
index 5cf2fe9aab9e..27e5db9a96b4 100644
--- a/lib/test_vmalloc.c
+++ b/lib/test_vmalloc.c
@@ -182,9 +182,14 @@ static int long_busy_list_alloc_test(void)
if (!ptr)
return rv;
- for (i = 0; i < 15000; i++)
+ for (i = 0; i < 15000; i++) {
ptr[i] = vmalloc(1 * PAGE_SIZE);
+ if (!ptr[i])
+ goto leave;
+ }
+
+
for (i = 0; i < test_loop_count; i++) {
ptr_1 = vmalloc(100 * PAGE_SIZE);
if (!ptr_1)
@@ -236,7 +241,11 @@ static int full_fit_alloc_test(void)
for (i = 0; i < junk_length; i++) {
ptr[i] = vmalloc(1 * PAGE_SIZE);
+ if (!ptr[i])
+ goto error;
junk_ptr[i] = vmalloc(1 * PAGE_SIZE);
+ if (!junk_ptr[i])
+ goto error;
}
for (i = 0; i < junk_length; i++)
@@ -256,8 +265,10 @@ static int full_fit_alloc_test(void)
rv = 0;
error:
- for (i = 0; i < junk_length; i++)
+ for (i = 0; i < junk_length; i++) {
vfree(ptr[i]);
+ vfree(junk_ptr[i]);
+ }
vfree(ptr);
vfree(junk_ptr);
-Topi
Powered by blists - more mailing lists